Target IP: 192.168.194.211
There are two TCP ports open on the target machine: SSH and HTTP.
Port 80: HTTP
The target host is using Apache, so the default page is displayed when I visit this application from a web browser. Doing a directory search leads to interesting directories as shown above.
The robots.txt contains the entries above. Only the /election is a valid directory.
The /election is an interesting webpage. It is some sort of application that users can use to vote for candidates. After navigating around the website for some time, I did not find anything useful. Viewing the source-code of the application did not result in anything useful.
After performing a scan against directory, I obtained interesting results.
The /card.php is an interesting page. It contains binary data as shown above.
After converting the long binary data to ASCII, I got another long binary data. Then converting this to ASCII, I obtained the result above. I now have the credentials: 1234:Zxc123!@#. Maybe I can spray this against SSH or another login page for this application.
The /admin page contains a login page. Spraying the credentials 1234:Zxc123!@#, I gained access to the admin page.
After enumerating the web application for some time, I found an interesting section that contains more information about the web application. This section also contains a log file under the Logging then View Logs section. This log file contains the content above, the credential love:P@$$w0rd@123. Maybe is a valid login for SSH?
Spraying the credentials I obtained from the log file worked! I now have a foothold on the machine as love.
I found an interesting binary called /usr/local/Serv-U/Serv-U. Doing a Google search returned the webpage above. I downloaded this exploit on my machine and transferred it to the target machine. After running the exploit, I gained a root shell.
The local.txt flag once I gained a foothold on the machine as the user love.
The root.txt flag once I used local privilege escalation exploit against Serv-U.